Vulnerability	Vulnerable Version
M External Control of System or Configuration Setting in-toto is a framework to define and secure the integrity of software supply chains Affected versions of this package are vulnerable to External Control of System or Configuration Setting. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. Among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. How to fix External Control of System or Configuration Setting? Upgrade `in-toto` to version 2.0.0 or higher.	[,2.0.0)

External Control of System or Configuration Setting

in-toto is a framework to define and secure the integrity of software supply chains

Affected versions of this package are vulnerable to External Control of System or Configuration Setting. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. Among the files read is .in_totorc which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an .in_totorc file that includes the necessary exclude patterns and settings.

How to fix External Control of System or Configuration Setting?

Upgrade in-toto to version 2.0.0 or higher.

[,2.0.0)

Go back to all versions of this package